[00:07.460 --> 00:15.000]  Hello everyone, I will continue to talk about some of the situations that will occur in other applications.
[00:16.320 --> 00:21.860]  Another situation is that there will be a loophole in the instant communication software.
[00:21.860 --> 00:31.260]  Many instant communication software support one user to send a file to another user during the operation.
[00:31.260 --> 00:34.800]  And this file is not just a picture or audio file.
[00:34.800 --> 00:39.440]  It can be another kind of document or binary file.
[00:39.440 --> 00:45.120]  And this kind of file will retain the original file name after it is sent.
[00:45.400 --> 00:51.680]  If this file name is not fully verified during the download process,
[00:51.680 --> 00:59.940]  it may save this file to any path after the file is downloaded.
[00:59.940 --> 01:03.880]  This will cause a loophole and cause some subsequent effects.
[01:04.880 --> 01:09.460]  How to find such files in the instant communication software?
[01:11.000 --> 01:18.900]  First, we need to send a file with a malicious file name.
[01:18.900 --> 01:25.000]  Then we need to ask the target user to click and download this file.
[01:25.040 --> 01:32.040]  One of the most difficult processes is how to send such a file.
[01:32.040 --> 01:35.040]  Because in the process of implementing the instant communication software,
[01:35.040 --> 01:40.760]  it directly takes the relevant file from the file processor or some other components,
[01:42.640 --> 01:45.360]  and then obtains the file name.
[01:45.360 --> 01:49.640]  It does not support directly specifying the file name of the target.
[01:49.640 --> 01:55.460]  So we need to send a file with a malicious file name through some intermediaries or hooks or re-packaging.
[02:03.100 --> 02:07.180]  It is possible to send such a file through intermediaries.
[02:08.080 --> 02:12.680]  Because we found that in the process of analyzing a certain instant communication software,
[02:12.680 --> 02:22.980]  it used some requests to pass the file name through Base64 and some code through HTTPS.
[02:23.500 --> 02:29.120]  However, we did not find such a case in the actual application process.
[02:29.120 --> 02:33.500]  So it's just that intermediaries have a possibility.
[02:33.500 --> 02:36.060]  There may be such a situation in other applications.
[02:38.160 --> 02:44.580]  Through the way of hooking, we have a relatively rich harvest.
[02:44.580 --> 02:55.920]  In the whole series of Tencent QQ, whether it is QQ Team or QQ International or Weiliao,
[02:55.920 --> 03:00.360]  it can all be done through a way of hooking.
[03:00.360 --> 03:08.680]  When we send a file, there is a file manager entity in the middle.
[03:08.680 --> 03:14.360]  In such a file entity, we hook this thing down and send a file name to it.
[03:14.360 --> 03:19.140]  Replace it with a file name that we need to specify with a dot-dot-dot.
[03:19.420 --> 03:21.100]  Then send it to the end.
[03:21.180 --> 03:23.900]  The end will display such a file.
[03:23.900 --> 03:29.060]  After it is downloaded, it will be stored in one of the paths we specified.
[03:31.260 --> 03:38.400]  However, there will be some limitations in the process of using this loophole.
[03:39.160 --> 03:45.240]  This limitation is due to some problems with the Java API itself.
[03:45.240 --> 03:52.200]  When it downloads, it downloads to a temporary folder on the SD card.
[03:52.380 --> 03:54.360]  A temporary path below.
[03:54.360 --> 03:59.730]  After downloading, use the RenameTo API to make a copy.
[03:59.730 --> 04:05.490]  However, this RenameTo API is a very strange API.
[04:05.490 --> 04:10.210]  It can be said to be an incomplete API.
[04:10.210 --> 04:17.010]  When it copies from one file system to another file system, it will cause a return false.
[04:17.710 --> 04:19.870]  So the copy is unsuccessful.
[04:19.870 --> 04:25.290]  If the target file exists or the target folder does not exist, it may also return false.
[04:25.290 --> 04:31.890]  When Tencent QQ is in this code, it does not perform the operation of tolerance.
[04:31.890 --> 04:36.350]  After it fails to copy, it will throw an abnormality directly.
[04:36.350 --> 04:42.870]  Then say this abnormality is RenameFileFail, RenameFileError such a situation.
[04:42.870 --> 04:48.730]  If it has the means of tolerance to ensure that this file can be copied normally,
[04:48.730 --> 04:51.590]  this is actually an opportunity.
[04:52.770 --> 04:56.650]  But we can't say that this loophole can't be used.
[04:56.650 --> 04:59.590]  Although it can only be traversed under the SD card,
[05:00.750 --> 05:04.790]  for example, in M.2.0 2017,
[05:05.370 --> 05:11.050]  MWR has already used such a loophole in their use of Samsung phones.
[05:12.350 --> 05:16.550]  It is to rewrite an INI configuration file on the SD card,
[05:16.550 --> 05:23.170]  and then change the HTTP of the server in this file to point to their own,
[05:23.170 --> 05:24.930]  and then do a middleman attack,
[05:24.930 --> 05:29.950]  which achieves the effect of being able to install a malicious application.
[05:30.750 --> 05:37.150]  So although this looks very fierce,
[05:37.150 --> 05:41.610]  but it is also possible to produce some beneficial effects.
[05:41.610 --> 05:47.190]  Then, what do we need to pay attention to in the process of hooking to modify this file name?
[05:48.610 --> 05:54.990]  In fact, the most important thing is to find a suitable location to place such a hook.
[05:55.890 --> 06:01.510]  Such a suitable location may usually be a class of a definition.
[06:02.010 --> 06:07.670]  This class includes some relevant information about the file that needs to be transmitted,
[06:07.670 --> 06:11.430]  such as the file name, file size, etc.
[06:14.330 --> 06:19.250]  However, such a class requires us to manually,
[06:19.250 --> 06:25.810]  for example, how to get this file when it starts,
[06:25.810 --> 06:30.870]  and then store it and read it to what data structure to do some analysis.
[06:30.870 --> 06:32.350]  There is another way,
[06:32.350 --> 06:40.170]  it may store these files in a data structure such as a standard map in Java,
[06:40.170 --> 06:45.270]  and then take it out when it is sent and put it in the corresponding request.
[06:47.470 --> 06:54.130]  We can complete the entire analysis process through a manual trace.
[06:54.930 --> 06:59.570]  Of course, we have also explored a process related to automating this process,
[06:59.570 --> 07:04.310]  that is, it may be possible to do such a method through 5-point analysis.
[07:05.310 --> 07:08.050]  There are some problems with static 5-point analysis.
[07:08.610 --> 07:11.770]  For example, there are some problems with the hidden call,
[07:11.770 --> 07:15.430]  such as the multi-line of this bind.
[07:16.850 --> 07:20.110]  For dynamics, we have a simpler way,
[07:20.110 --> 07:23.510]  which is to hook up the relevant file name.
[07:23.510 --> 07:29.430]  For example, we want to send a file name 1,
[07:29.430 --> 07:32.450]  and then we can hook up all the files to read and write,
[07:32.450 --> 07:34.670]  and then print out the return number.
[07:35.850 --> 07:39.030]  Through this multi-stage binding,
[07:39.030 --> 07:45.550]  we can reproduce the entire process and find some points of such a hook.
[07:47.730 --> 07:49.470]  In addition to this hook,
[07:49.470 --> 07:53.730]  there may also be a method of re-packaging or re-producing.
[07:53.950 --> 07:56.870]  If this application is not mixed very seriously,
[07:56.870 --> 08:01.370]  we can use reverse analysis to specify its relevant source code.
[08:01.370 --> 08:04.470]  In the process of sending files,
[08:04.470 --> 08:06.830]  maybe its file name is already specified in a certain function,
[08:06.830 --> 08:09.510]  in a certain amount of power.
[08:09.650 --> 08:13.350]  For example, CVE-2017-17715.
[08:13.410 --> 08:19.370]  This is a loophole found by Project Zero in Telegram Messenger,
[08:20.070 --> 08:21.690]  which is also a pass-through.
[08:21.730 --> 08:26.710]  When sending files to other users or in the group,
[08:28.470 --> 08:30.710]  a file with a dot-dot-bar can be sent.
[08:30.710 --> 08:33.950]  When the file is downloaded, it will also be affected.
[08:34.170 --> 08:39.990]  This loophole is re-packaged or re-produced by Natalia.
[08:40.090 --> 08:42.710]  It is directly specified in the APK,
[08:43.410 --> 08:46.490]  and then re-packaged and modified.
[08:46.490 --> 08:50.970]  When running, a malicious file name is sent.
[08:53.030 --> 08:56.230]  Of course, in addition to the above scenario,
[08:56.230 --> 08:59.090]  there may also be a cloud disk.
[08:59.090 --> 09:02.050]  When the cloud disk file is downloaded, there will be some problems.
[09:02.050 --> 09:04.990]  For example, when the cloud disk is stored,
[09:04.990 --> 09:08.190]  the existing file name must not be stored in the server.
[09:08.190 --> 09:11.110]  It should be in the form of a hash file.
[09:11.630 --> 09:14.290]  Then, through some searches,
[09:14.290 --> 09:17.250]  the actual file name is unzipped.
[09:17.490 --> 09:24.330]  Then, this file name may not be very standardized
[09:24.330 --> 09:27.770]  or filtered by some dot-dot-bar.
[09:27.770 --> 09:30.330]  Then we also have a chance.
[09:30.390 --> 09:36.150]  There are also some manual backups or restores.
[09:36.250 --> 09:38.530]  This may also happen.
[09:39.850 --> 09:42.890]  Then let's talk about the third link,
[09:42.890 --> 09:45.390]  which is some useful skills.
[09:45.410 --> 09:48.610]  Next, we will talk about some actual loopholes.
[09:52.380 --> 09:56.380]  Before using, we need to figure out a few problems.
[09:56.380 --> 10:01.320]  One of them is what kind of loopholes we can classify as.
[10:03.200 --> 10:05.320]  I have divided it into three categories.
[10:05.320 --> 10:13.300]  The first category is a single cross-path loophole.
[10:13.300 --> 10:19.400]  In this kind of loophole, most of it is caused by the output of the component plus some logical loopholes.
[10:19.400 --> 10:23.960]  For example, this container provider and this file copy.
[10:25.020 --> 10:31.480]  The second category is a cross-path loophole that can directly cover any file.
[10:32.320 --> 10:34.920]  This is widely used.
[10:34.920 --> 10:37.700]  In the last year's Mobile Pong Tournament,
[10:37.700 --> 10:41.460]  there were two cases like this.
[10:41.460 --> 10:45.280]  This is also the most commonly used one.
[10:45.280 --> 10:47.980]  There may be a cross-path loophole in Zip.
[10:48.260 --> 10:53.800]  The third category is some other categories.
[10:53.800 --> 10:57.460]  We can download something.
[10:57.460 --> 10:59.070]  But in the process of downloading,
[11:00.500 --> 11:02.560]  due to some business needs,
[11:02.560 --> 11:05.480]  it will check whether this file exists.
[11:05.480 --> 11:08.740]  If this file exists, it will be renamed.
[11:08.740 --> 11:13.560]  In this case, it will not cause a copy of any file.
[11:14.340 --> 11:18.280]  In this case, it is usually difficult to use,
[11:18.280 --> 11:20.620]  but there is no way.
[11:20.620 --> 11:22.740]  We will have a related introduction later.
[11:23.900 --> 11:30.160]  This is a classic code that is renamed after the file is downloaded.
[11:31.400 --> 11:38.460]  It usually adds some extra characters before the original file is traced.
[11:38.600 --> 11:44.260]  In addition to this loophole classification,
[11:44.380 --> 11:47.960]  we also need to figure out
[11:47.960 --> 11:50.420]  which files are used in the application.
[11:50.420 --> 11:53.380]  In the process, which files are used?
[11:53.540 --> 11:57.080]  The first category is a very general file.
[11:57.520 --> 11:59.820]  Basically, all applications will have it.
[11:59.820 --> 12:02.120]  It is Share Preference.
[12:03.040 --> 12:05.480]  There are many configurations in XML files.
[12:05.480 --> 12:07.780]  These configurations may have some related information.
[12:07.780 --> 12:10.480]  Then there is Circulate Database.
[12:10.980 --> 12:14.680]  This type of file contains some related data,
[12:14.680 --> 12:16.580]  such as contacts, etc.
[12:20.280 --> 12:22.920]  In recent years,
[12:24.700 --> 12:27.680]  Android applications on the market are getting bigger and bigger.
[12:27.680 --> 12:30.280]  They have more and more functions.
[12:30.280 --> 12:36.940]  In order to ensure that the size of the initial package is small enough,
[12:36.940 --> 12:39.700]  some complex functions,
[12:39.700 --> 12:42.860]  such as video playback and image analysis,
[12:43.140 --> 12:44.920]  will be loaded as a plug-in.
[12:44.920 --> 12:47.860]  It will be loaded dynamically.
[12:48.320 --> 12:50.940]  It will even be dynamically updated.
[12:50.940 --> 12:52.680]  Then there is the Rippedin mechanism.
[12:52.680 --> 12:57.240]  There are many Rippedin frameworks developed in China.
[12:57.240 --> 12:58.920]  Because there is no Google Play,
[12:58.920 --> 13:01.920]  it produces such a relatively...
[13:05.750 --> 13:09.770]  Then there may be some binary files such as WatchServer.
[13:10.430 --> 13:15.890]  Such binary files will have some protection process, etc.
[13:15.890 --> 13:19.150]  In addition, there will also be some configuration files,
[13:19.150 --> 13:22.010]  such as the INI file mentioned earlier,
[13:22.010 --> 13:25.670]  or some files on the SD card outside the sandbox.
[13:26.990 --> 13:29.270]  We all have the opportunity to use these files.
[13:29.430 --> 13:33.770]  First, let's look at a case like CVE-2018-8084.
[13:34.010 --> 13:36.870]  This is a path traversal on a domestic browser.
[13:38.010 --> 13:40.350]  It is in the process of decompression,
[13:40.350 --> 13:41.930]  which is to download a zip package,
[13:41.930 --> 13:43.750]  and then manually decompress it.
[13:43.750 --> 13:47.650]  There is no correct verification of the content in this zip package.
[13:47.650 --> 13:49.650]  Then it will lead to...
[13:49.650 --> 13:52.070]  It can travel to any path.
[13:52.070 --> 13:56.250]  At the same time, this app is a browser app.
[13:56.250 --> 13:57.510]  So it supports...
[13:57.510 --> 13:59.870]  It supports some video files.
[14:00.110 --> 14:03.950]  It supports playing some videos online.
[14:04.110 --> 14:08.810]  So it has a lot of SO files that exist in the form of inserted keys.
[14:10.510 --> 14:12.510]  For example, this libvplayer.so
[14:12.510 --> 14:14.810]  is a very good coverage target.
[14:14.810 --> 14:16.050]  We pass...
[14:16.050 --> 14:18.510]  We pass this...
[14:19.270 --> 14:20.550]  libvplayer.so
[14:20.550 --> 14:23.210]  gni-onload function rewrite.
[14:23.210 --> 14:24.290]  Then in this...
[14:24.290 --> 14:26.610]  Just download one of our...
[14:27.370 --> 14:27.850]  a shell.
[14:27.850 --> 14:29.570]  And then execute it.
[14:29.570 --> 14:32.030]  We can...
[14:32.030 --> 14:34.170]  When it plays a video,
[14:34.170 --> 14:36.150]  to get a shell.
[14:36.150 --> 14:37.970]  The interesting thing is that this loophole...
[14:37.970 --> 14:40.810]  After replacing this libvplayer,
[14:40.810 --> 14:43.650]  This app can still run normally.
[14:43.650 --> 14:45.830]  That is, the user has no perception.
[14:46.010 --> 14:49.090]  And in the process of decompression of this app,
[14:49.090 --> 14:51.350]  It also can't see this kind of loophole.
[14:51.350 --> 14:53.730]  So this loophole is still quite good.
[14:54.110 --> 14:56.090]  The second case is...
[14:56.090 --> 14:57.350]  It also uses a plugin.
[14:57.350 --> 14:58.670]  But it is...
[14:59.670 --> 15:00.250]  This...
[15:00.250 --> 15:01.570]  It can't...
[15:01.570 --> 15:03.570]  Directly cover these files.
[15:03.670 --> 15:06.330]  This loophole is in the web browser master.
[15:06.330 --> 15:07.750]  A path...
[15:07.750 --> 15:09.470]  When it downloads the plugin,
[15:09.470 --> 15:10.970]  There is a loophole.
[15:10.970 --> 15:13.750]  That is, a user sends to another user...
[15:14.770 --> 15:18.070]  When sending an app with a malicious file name,
[15:18.070 --> 15:19.310]  A malicious plugin,
[15:19.310 --> 15:21.650]  If it clicks to download,
[15:21.650 --> 15:24.190]  So when it downloads the next time,
[15:24.190 --> 15:24.830]  No...
[15:24.830 --> 15:27.830]  When it re-opens the app next time,
[15:27.830 --> 15:29.330]  There is a possibility that it will cause...
[15:29.330 --> 15:31.270]  An attack on RCE.
[15:31.270 --> 15:33.550]  The specific situation of this loophole is like this.
[15:33.550 --> 15:35.710]  That is...
[15:35.710 --> 15:36.410]  Well...
[15:37.950 --> 15:40.010]  In the process of forcing use,
[15:40.010 --> 15:42.490]  Because when we are in the file hook,
[15:42.490 --> 15:43.630]  We will find...
[15:43.630 --> 15:45.630]  It has a file called FinalCore.java.
[15:46.130 --> 15:48.950]  Then before this FinalCore.java,
[15:48.950 --> 15:50.810]  It will first detect this...
[15:50.810 --> 15:51.710]  NewCore.java...
[15:51.710 --> 15:52.950]  Such a file.
[15:54.990 --> 15:55.550]  Well...
[15:55.550 --> 15:58.030]  Let's confirm this...
[15:58.030 --> 15:59.270]  Related logic code.
[15:59.270 --> 16:01.790]  It depends on where these two files are read.
[16:02.190 --> 16:03.570]  There are two ways.
[16:03.570 --> 16:05.330]  Because the application of NetEase Mailbox Master,
[16:05.330 --> 16:06.190]  It is...
[16:06.190 --> 16:08.250]  It has some mixed encryption.
[16:08.250 --> 16:10.890]  That is, its string of characters is at least mixed.
[16:10.890 --> 16:12.970]  For example, this A.C.
[16:13.150 --> 16:15.110]  Through some static methods,
[16:15.110 --> 16:16.030]  You can...
[16:19.230 --> 16:20.010]  Decrypt this algorithm.
[16:20.010 --> 16:22.570]  This is not a simple Base64 decode.
[16:22.570 --> 16:24.570]  It has some other steps.
[16:26.810 --> 16:27.430]  Then...
[16:27.430 --> 16:30.270]  You can also directly hook this A.C.
[16:30.270 --> 16:32.390]  Give its related results to...
[16:32.390 --> 16:34.670]  The return value.
[16:34.670 --> 16:36.430]  It can be dynamically decrypted.
[16:36.430 --> 16:37.470]  Anyway, we end up...
[16:37.470 --> 16:39.670]  Located here.
[16:39.830 --> 16:42.310]  The general logic is...
[16:42.310 --> 16:45.650]  Before loading this FinalCore.java,
[16:45.650 --> 16:46.690]  It will first check...
[16:46.990 --> 16:48.710]  Does this NewCore.java exist?
[16:48.710 --> 16:51.190]  If this NewCore.java exists,
[16:51.190 --> 16:52.630]  Rename it.
[16:52.630 --> 16:54.890]  Rename to this FinalCore.java.
[16:54.910 --> 16:56.390]  This business...
[16:56.910 --> 17:00.050]  When NetEase Mailbox Master first opened the screen,
[17:00.050 --> 17:01.350]  It has an ad.
[17:01.350 --> 17:03.910]  This ad has an update function.
[17:04.070 --> 17:05.450]  The update of this ad...
[17:05.450 --> 17:08.010]  Of course, it is not possible to download it every time.
[17:08.130 --> 17:10.010]  Reinstall such an application.
[17:10.010 --> 17:11.650]  And then update it.
[17:11.650 --> 17:12.670]  It can be dynamic.
[17:12.670 --> 17:14.250]  Push something.
[17:14.610 --> 17:16.670]  So it led to this loophole.
[17:17.070 --> 17:17.610]  We...
[17:18.630 --> 17:21.450]  Therefore, although we are in the process of re-downloading,
[17:21.450 --> 17:22.870]  It will be re-named.
[17:22.870 --> 17:24.670]  So we don't have this...
[17:24.670 --> 17:26.670]  The right to cover any file.
[17:26.930 --> 17:29.370]  But we can put such a NewCore.java.
[17:29.370 --> 17:31.830]  Then when it is downloaded next time,
[17:31.830 --> 17:34.930]  You may get a share.
[17:35.390 --> 17:38.190]  In order to ensure the normal operation of this application,
[17:38.190 --> 17:41.510]  That is, to ensure that this exploit is good enough,
[17:41.510 --> 17:48.190]  We need to do some follow-up operations on the downloaded file.
[17:48.190 --> 17:48.890]  For example,
[17:48.890 --> 17:51.430]  If we want to ensure its function,
[17:51.430 --> 17:55.430]  We can only insert some Smarty codes in it.
[17:56.230 --> 17:58.270]  Then get a share.
[17:58.270 --> 18:00.270]  The usual method is...
[18:01.990 --> 18:03.110]  Generally speaking,
[18:03.110 --> 18:06.050]  We generate such a share through Joseph or Metasploit.
[18:07.470 --> 18:10.090]  Then extract a share code from it.
[18:10.090 --> 18:12.650]  Finally, insert it into this related code.
[18:12.650 --> 18:15.910]  In the process of loading this DexPlusLoader,
[18:15.910 --> 18:17.290]  In the process of this hook,
[18:17.290 --> 18:21.230]  We can tell which types are being loaded.
[18:21.230 --> 18:24.070]  Then in these types of structure functions,
[18:24.070 --> 18:26.470]  Or some with context functions,
[18:26.470 --> 18:30.550]  We can insert this related payload star code.
[18:30.550 --> 18:33.790]  To get a remote reverse share.
[18:36.030 --> 18:37.950]  In addition to the plug-in,
[18:37.950 --> 18:42.810]  Maybe the application itself also has some related codes.
[18:42.810 --> 18:43.850]  There is a loophole.
[18:43.850 --> 18:45.030]  For example,
[18:45.030 --> 18:47.670]  Natali found this...
[18:48.230 --> 18:51.250]  There is such a loophole in the traversal code in Telegram.
[18:51.250 --> 18:54.370]  It can't cause any file coverage.
[18:54.370 --> 18:58.430]  However, it is in this KGNet structure.
[18:58.430 --> 19:01.830]  KGNet is a network related structure that manages Telegram.
[19:03.550 --> 19:05.310]  It has a configuration file.
[19:05.310 --> 19:07.150]  In the process of loading the configuration file,
[19:07.150 --> 19:09.630]  It has a back-up mechanism.
[19:09.750 --> 19:10.950]  That is to say,
[19:10.950 --> 19:14.710]  It will first check if this .bak file exists.
[19:14.710 --> 19:16.570]  If this .bak file exists,
[19:16.570 --> 19:17.970]  Restore it.
[19:18.070 --> 19:20.560]  This is usually due to...
[19:20.560 --> 19:21.100]  This...
[19:21.100 --> 19:23.400]  In order to co-operate,
[19:24.380 --> 19:26.800]  Some related logic is set.
[19:28.380 --> 19:29.400]  Therefore,
[19:29.400 --> 19:32.240]  In the process of exploring this loophole,
[19:32.240 --> 19:35.880]  Found that if you write to this .bak file,
[19:35.880 --> 19:38.520]  It may lead to this...
[19:38.520 --> 19:40.720]  The file is in the process of analysis.
[19:40.720 --> 19:42.520]  Because of some format problems.
[19:42.520 --> 19:44.680]  Because there are also some loopholes in it.
[19:44.680 --> 19:45.680]  Such a loophole.
[19:45.680 --> 19:47.560]  It will lead to a crash.
[19:47.560 --> 19:48.520]  So...
[19:49.500 --> 19:51.520]  So there will be some impact.
[19:51.520 --> 19:52.440]  Then it also...
[19:53.100 --> 19:55.720]  In this KGNet.dat file,
[19:55.720 --> 19:56.580]  It also...
[19:57.280 --> 19:58.620]  Set this...
[19:58.620 --> 20:00.540]  Related to Telegram...
[20:01.400 --> 20:02.780]  An IP port of the server.
[20:02.780 --> 20:04.680]  So there is a potential possibility.
[20:04.680 --> 20:06.940]  If this Telegram protocol is...
[20:06.940 --> 20:08.160]  After you figure it out,
[20:08.160 --> 20:11.100]  It may be possible to make a session hijack.
[20:11.220 --> 20:12.260]  But in this case,
[20:12.260 --> 20:15.100]  Some more in-depth analysis may be needed.
[20:16.040 --> 20:18.880]  But if such a loophole is used,
[20:18.880 --> 20:20.740]  Specific applications are needed.
[20:20.740 --> 20:22.040]  To analyze in detail.
[20:22.240 --> 20:22.920]  And...
[20:22.920 --> 20:24.720]  It may be difficult to have some...
[20:24.720 --> 20:26.920]  It is difficult to have some output.
[20:27.020 --> 20:28.680]  We found...
[20:28.680 --> 20:31.200]  A more universal way of use.
[20:31.600 --> 20:34.420]  In AOSP's original...
[20:34.420 --> 20:36.040]  Share preference.
[20:36.040 --> 20:37.100]  Such a very universal...
[20:37.760 --> 20:39.920]  A file type in the middle.
[20:40.060 --> 20:41.440]  It also has...
[20:41.440 --> 20:43.300]  Similar to this KGNet module.
[20:43.300 --> 20:45.560]  A backup mechanism.
[20:45.940 --> 20:47.160]  That is to say...
[20:47.160 --> 20:49.120]  Before it loads each...
[20:49.120 --> 20:50.040]  Share preference...
[20:51.060 --> 20:52.540]  XML file.
[20:52.540 --> 20:55.060]  It will first check this related...
[20:55.060 --> 20:56.820]  Does BAK exist?
[20:56.820 --> 20:58.820]  If it exists, it is RESTORE.
[20:58.820 --> 21:01.100]  After RESTORE, it can cause...
[21:01.100 --> 21:02.800]  An indirect write-in.
[21:02.800 --> 21:05.300]  That is to say, although we can't cover...
[21:06.140 --> 21:07.740]  Cover this XML.
[21:07.740 --> 21:09.660]  But we can write an XML...
[21:09.660 --> 21:10.720]  To BAK.
[21:10.720 --> 21:12.800]  In this way, when it loads...
[21:12.800 --> 21:15.100]  This loadSharePreference...
[21:15.100 --> 21:16.860]  It will also work.
[21:16.860 --> 21:18.640]  It is equivalent to...
[21:18.640 --> 21:20.320]  Covering this XML.
[21:20.320 --> 21:23.400]  Causing any share preference to be covered.
[21:25.340 --> 21:26.720]  In the case of Telegram...
[21:27.880 --> 21:29.400]  We can see...
[21:29.400 --> 21:31.400]  There is an XML called UserConfig.
[21:32.220 --> 21:35.620]  There is an XML called UserConfig.
[21:37.320 --> 21:39.940]  There is an XML called UserConfig.
[21:39.940 --> 21:40.360]  There is an XML called UserConfig.
[21:40.360 --> 21:40.700]  There is an XML called UserConfig.
[21:40.700 --> 21:42.990]  There will be its ID...
[21:43.660 --> 21:44.380]  FirstName...
[21:45.340 --> 21:46.080]  PhoneNumber...
[21:46.080 --> 21:47.340]  These things.
[21:48.570 --> 21:50.360]  After we cover this file...
[21:50.360 --> 21:51.660]  What effect can it cause?
[21:51.820 --> 21:55.120]  After covering TGNet and UserConfig at the same time...
[21:55.120 --> 21:58.700]  Can make this target user's...
[21:58.700 --> 21:59.000]  Account...
[21:59.000 --> 22:00.600]  Replace it with our own account.
[22:00.600 --> 22:01.420]  That is to say...
[22:01.420 --> 22:03.480]  It is like a...
[22:03.480 --> 22:06.380]  When other users send a file...
[22:06.380 --> 22:09.180]  We can see it here in real time.
[22:09.180 --> 22:12.920]  It creates a session hijack effect.
[22:12.920 --> 22:13.520]  Then...
[22:13.520 --> 22:16.660]  It also has a device binding effect.
[22:16.660 --> 22:17.500]  That is to say...
[22:17.500 --> 22:18.680]  It logs in there.
[22:18.680 --> 22:20.600]  Then I re-log in here.
[22:20.600 --> 22:22.280]  It can no longer...
[22:22.280 --> 22:24.420]  It can no longer forcibly...
[22:24.420 --> 22:25.720]  A offline.
[22:26.060 --> 22:29.220]  No matter whose account it logs in later...
[22:29.220 --> 22:30.960]  Because we have implemented...
[22:30.960 --> 22:32.560]  A device binding operation.
[22:32.560 --> 22:34.660]  As long as we forcibly log in here...
[22:34.660 --> 22:35.760]  It will offline there.
[22:35.760 --> 22:37.720]  No matter whose account it logs in.
[22:39.340 --> 22:41.380]  We can take a look at this...
[22:41.380 --> 22:42.520]  It is a common...
[22:42.520 --> 22:44.080]  Replacement of SharedPreference.
[22:44.080 --> 22:45.780]  What effect can it cause?
[22:47.400 --> 22:48.120]  This...
[22:48.120 --> 22:50.240]  In SharedPreference...
[22:50.240 --> 22:52.400]  Usually there will be some...
[22:52.400 --> 22:53.420]  Very important effects.
[22:53.420 --> 22:56.520]  For example, some links of HTTP.
[22:56.520 --> 22:58.260]  It may contain some...
[22:58.260 --> 22:59.580]  Download address of the plug-in.
[22:59.580 --> 23:00.620]  Update address.
[23:00.620 --> 23:01.680]  There will be some updates.
[23:01.680 --> 23:02.500]  There will be some...
[23:02.500 --> 23:05.300]  Some links of APK.
[23:06.380 --> 23:08.500]  If we change these places...
[23:08.500 --> 23:10.940]  It may cause RCE.
[23:10.940 --> 23:11.520]  Or...
[23:11.520 --> 23:13.240]  There is a way to fish.
[23:13.300 --> 23:16.320]  Then it may specify some plug-ins.
[23:16.680 --> 23:17.280]  Or...
[23:17.280 --> 23:19.440]  A version code itself.
[23:19.440 --> 23:21.760]  If we lower it...
[23:21.760 --> 23:22.840]  That is to say...
[23:22.840 --> 23:23.800]  It was originally 6.1.
[23:23.800 --> 23:24.980]  You change it to 6.0.
[23:24.980 --> 23:26.960]  Then in the next check update...
[23:26.960 --> 23:28.540]  There will be an update.
[23:28.540 --> 23:29.960]  Then according to...
[23:29.960 --> 23:32.320]  Some links of HTTP.
[23:32.680 --> 23:34.120]  It may...
[23:34.120 --> 23:36.140]  Implement this attack.
[23:37.080 --> 23:37.500]  That is to say...
[23:37.500 --> 23:40.820]  Run the update logic.
[23:42.880 --> 23:44.300]  There are some related...
[23:44.880 --> 23:46.000]  Hashi files.
[23:46.800 --> 23:48.620]  You want to download an...
[23:48.620 --> 23:49.800]  SO.
[23:49.800 --> 23:52.480]  But it may be through an HTTPS.
[23:52.480 --> 23:54.640]  It has already downloaded the SO MD5.
[23:54.860 --> 23:56.400]  Even if you replace it...
[23:56.400 --> 23:57.300]  It is also...
[23:57.300 --> 24:00.360]  In the process of complete verification...
[24:00.360 --> 24:02.040]  It will fail.
[24:02.660 --> 24:03.840]  So if we...
[24:03.840 --> 24:05.700]  After replacing all these things...
[24:05.700 --> 24:08.120]  You can implement the whole attack.
[24:08.620 --> 24:09.580]  And then...
[24:09.580 --> 24:12.020]  There may be some server-related codes.
[24:12.020 --> 24:13.460]  For example, in some browsers...
[24:13.460 --> 24:15.440]  It will have some DNS cache.
[24:15.480 --> 24:17.440]  Some IP port.
[24:17.440 --> 24:19.100]  Even some proxy.
[24:19.100 --> 24:20.600]  After modifying these things...
[24:20.600 --> 24:21.620]  It can also achieve...
[24:22.740 --> 24:25.320]  Some cool effects.
[24:27.080 --> 24:28.420]  The third...
[24:28.420 --> 24:31.320]  One point we can pay attention to is...
[24:31.320 --> 24:33.060]  Android's Rebooting.
[24:33.060 --> 24:34.160]  That is...
[24:34.970 --> 24:37.080]  In the middle of the path traversal loop...
[24:37.080 --> 24:38.340]  This kind of loop...
[24:38.340 --> 24:40.200]  This kind of file also has...
[24:40.200 --> 24:41.760]  A great opportunity.
[24:43.260 --> 24:44.900]  Rebooting is...
[24:44.900 --> 24:46.100]  In the application...
[24:46.100 --> 24:47.920]  When you don't need to reinstall...
[24:47.920 --> 24:50.560]  It can be very fast and convenient...
[24:50.560 --> 24:52.300]  Put this resource file...
[24:52.300 --> 24:53.460]  Even...
[24:53.780 --> 24:55.320]  Dex files, SO files...
[24:55.320 --> 24:56.960]  Some updates...
[24:56.960 --> 24:59.680]  It can be used to quickly repair...
[24:59.680 --> 25:01.260]  Some emergency booting...
[25:01.260 --> 25:02.500]  In some cases...
[25:02.500 --> 25:05.300]  It is widely used in large applications.
[25:07.420 --> 25:08.780]  In China...
[25:08.780 --> 25:12.380]  All major manufacturers have some related frameworks.
[25:12.380 --> 25:13.660]  For example, Tencent...
[25:13.660 --> 25:14.380]  There are many...
[25:14.380 --> 25:15.620]  For example, Tink...
[25:18.060 --> 25:18.780]  SuperHardPrint...
[25:18.780 --> 25:19.500]  And...
[25:19.500 --> 25:21.520]  WeChat Reading...
[25:22.360 --> 25:23.080]  Ali...
[25:24.480 --> 25:25.200]  Meituan...
[25:26.620 --> 25:29.100]  Rebooting will introduce some new problems.
[25:29.100 --> 25:30.060]  That is...
[25:30.060 --> 25:31.860]  It is difficult for us to guarantee...
[25:31.860 --> 25:34.160]  The completeness of the downloaded code...
[25:34.160 --> 25:36.340]  We can control it.
[25:36.400 --> 25:37.480]  That is...
[25:37.480 --> 25:39.220]  It may be tampered with...
[25:39.220 --> 25:40.660]  Or it may load some...
[25:41.210 --> 25:42.980]  Some codes that we can't control.
[25:43.020 --> 25:43.940]  In this case...
[25:43.940 --> 25:47.140]  It may lead to the execution of arbitrary codes.
[25:47.140 --> 25:48.940]  This is a very dangerous effect.
[25:50.320 --> 25:51.480]  In our...
[25:52.400 --> 25:52.980]  For...
[25:52.980 --> 25:55.220]  In our process of debugging the mailbox application...
[25:56.320 --> 25:57.540]  We also found that...
[25:57.540 --> 25:58.760]  In the QQ mailbox...
[25:58.760 --> 26:00.080]  There are also related...
[26:00.950 --> 26:02.520]  Related path traversal loopholes.
[26:02.520 --> 26:04.960]  It can't cause arbitrary files to be covered.
[26:04.960 --> 26:07.060]  But it has a Rebooting mechanism.
[26:07.060 --> 26:09.520]  Let's take a look at a related implementation of its Rebooting mechanism.
[26:10.500 --> 26:12.320]  When it is updated...
[26:12.320 --> 26:13.420]  It will download this...
[26:13.420 --> 26:15.340]  Download this link.
[26:15.340 --> 26:17.960]  Then do some signature verification.
[26:17.960 --> 26:19.280]  After the signature verification...
[26:19.280 --> 26:21.100]  There may be some MD5 verification.
[26:21.100 --> 26:22.260]  In the middle of these processes...
[26:22.260 --> 26:23.800]  There is no problem.
[26:24.060 --> 26:26.360]  Then it will put this...
[26:26.360 --> 26:27.640]  The DEX file inside...
[26:27.640 --> 26:29.880]  To a specific folder.
[26:30.040 --> 26:31.540]  This specific folder...
[26:31.540 --> 26:33.180]  Is specified in an XML.
[26:33.180 --> 26:36.060]  Up to this point...
[26:36.060 --> 26:36.840]  There is no problem.
[26:36.840 --> 26:39.420]  Because we can't control all of these.
[26:39.820 --> 26:41.280]  But when it is...
[26:43.120 --> 26:43.480]  Rebooting...
[26:43.840 --> 26:45.680]  It has some...
[26:45.680 --> 26:47.480]  Very dangerous operations.
[26:47.480 --> 26:49.660]  It uses a list file operation.
[26:49.660 --> 26:51.180]  That is to say, it will put this...
[26:52.660 --> 26:54.320]  Under the Rebooting path...
[26:54.320 --> 26:55.620]  All the DEX files...
[26:55.620 --> 26:57.600]  List them all.
[26:57.600 --> 26:59.240]  Then download them one by one.
[26:59.360 --> 27:01.120]  There is no way to do this.
[27:02.180 --> 27:03.460]  Because a lot of...
[27:03.460 --> 27:05.120]  Now this kind of...
[27:06.100 --> 27:06.760]  DEX files...
[27:06.760 --> 27:08.520]  There are some shortcomings.
[27:09.780 --> 27:12.340]  The number of methods supported by DEX files...
[27:12.340 --> 27:13.800]  Is limited.
[27:13.800 --> 27:15.380]  So it needs...
[27:15.380 --> 27:17.200]  Multi-DEX support.
[27:17.200 --> 27:18.000]  Such a mechanism.
[27:18.000 --> 27:19.920]  So there will be a lot of DEX.
[27:19.920 --> 27:22.420]  In order to integrate this change...
[27:23.120 --> 27:24.320]  The way they came up with...
[27:24.320 --> 27:26.300]  Is to use such a list file...
[27:26.300 --> 27:28.900]  To make a list.
[27:28.900 --> 27:30.840]  Then make an attack.
[27:30.840 --> 27:32.340]  And make a download.
[27:32.340 --> 27:35.100]  At the same time, at the level of DEX...
[27:35.100 --> 27:36.800]  There is no way to do...
[27:36.800 --> 27:38.460]  Signature verification.
[27:38.460 --> 27:40.100]  Because in this file...
[27:40.100 --> 27:42.580]  There is no information related to the application signature.
[27:44.040 --> 27:46.920]  So we can...
[27:46.920 --> 27:49.320]  Like this...
[27:49.320 --> 27:49.720]  DEX...
[27:49.720 --> 27:50.900]  DEX is...
[27:51.740 --> 27:53.400]  M-O-A-I patch...
[27:53.400 --> 27:54.720]  Under this path...
[27:54.720 --> 27:57.220]  Write a DEX of any kind.
[27:57.220 --> 27:58.360]  That is to use...
[27:58.360 --> 28:00.900]  The method we introduced in the online email master...
[28:00.900 --> 28:03.020]  This kind of SMARTY input method.
[28:03.020 --> 28:04.020]  Input a file.
[28:04.020 --> 28:05.640]  Then write it in.
[28:05.800 --> 28:07.820]  When it is executed next time...
[28:07.820 --> 28:10.020]  You can get a reverse email.
[28:10.280 --> 28:11.900]  The reverse file of the mailbox...
[28:11.900 --> 28:14.020]  I think the effect of the application is still great.
[28:14.020 --> 28:16.580]  Not only can you do this...
[28:17.200 --> 28:18.080]  Dragon attack.
[28:18.080 --> 28:18.960]  That is to say...
[28:18.960 --> 28:23.100]  Copy all his mails at the same time.
[28:23.120 --> 28:25.340]  So that we can see all his emails.
[28:25.340 --> 28:27.820]  You can fake his identity and send emails.
[28:27.820 --> 28:29.900]  It can even cause insect effects.
[28:29.900 --> 28:30.920]  That is...
[28:30.920 --> 28:32.520]  For each contact person...
[28:33.120 --> 28:35.020]  Each such contact person...
[28:35.020 --> 28:37.060]  Send more such files...
[28:37.060 --> 28:39.560]  There is still a certain range of influence.
[28:41.080 --> 28:42.780]  But we just mentioned...
[28:42.780 --> 28:44.900]  This is a problem with the hot pudding mechanism.
[28:45.860 --> 28:46.580]  So...
[28:46.580 --> 28:49.760]  Will only this old version be affected?
[28:49.760 --> 28:51.700]  Because there is no pudding in the new version.
[28:51.700 --> 28:54.020]  So there is no pudding path.
[28:54.020 --> 28:56.020]  We found in the middle of the analysis...
[28:56.020 --> 28:57.240]  He has such a...
[28:57.240 --> 28:59.480]  A pudding-specific XML file.
[28:59.920 --> 29:00.400]  Inside...
[29:01.940 --> 29:02.900]  This...
[29:03.920 --> 29:05.840]  When to hit the pudding...
[29:05.840 --> 29:07.420]  Pudding link...
[29:07.420 --> 29:10.000]  What path will pudding be placed under?
[29:10.760 --> 29:11.800]  And this...
[29:11.800 --> 29:12.840]  Related...
[29:12.840 --> 29:14.160]  Such a patch key...
[29:14.160 --> 29:18.440]  If you replace this file...
[29:18.440 --> 29:19.060]  That is...
[29:19.060 --> 29:21.420]  Can reach this...
[29:21.420 --> 29:22.680]  Multi-stage...
[29:24.240 --> 29:25.920]  Requires more...
[29:25.920 --> 29:27.240]  An interaction of cycles...
[29:27.240 --> 29:29.660]  But it can eventually reach such a...
[29:29.660 --> 29:30.720]  In the middle of the new version...
[29:31.060 --> 29:32.520]  Can also be used...
[29:35.060 --> 29:37.600]  Finally, let's talk about...
[29:37.600 --> 29:39.840]  How to do a fix.
[29:40.200 --> 29:41.420]  Before that...
[29:41.420 --> 29:43.420]  We just talked about this...
[29:44.340 --> 29:45.580]  Some common files...
[29:45.580 --> 29:47.100]  For example, the SQLite database...
[29:47.100 --> 29:49.460]  This file can actually...
[29:49.460 --> 29:51.380]  In a situation where it cannot be covered...
[29:51.380 --> 29:52.340]  To be covered...
[29:52.340 --> 29:53.660]  Because we can...
[29:56.580 --> 29:58.040]  Write a journal file...
[29:58.040 --> 29:58.480]  Under the db path...
[29:58.480 --> 30:01.060]  When it rolls back in time...
[30:01.060 --> 30:02.660]  It will have a...
[30:02.660 --> 30:04.200]  The effect of rolling back...
[30:04.200 --> 30:05.940]  Can put this...
[30:06.700 --> 30:08.320]  A change in the database...
[30:08.320 --> 30:10.480]  Is to modify it back...
[30:10.480 --> 30:12.300]  Indirectly create a...
[30:12.300 --> 30:14.340]  Any coverage of a db file...
[30:14.340 --> 30:16.820]  And finally, let's talk about how to fix it.
[30:16.820 --> 30:19.120]  Fix, in fact...
[30:19.120 --> 30:20.840]  The most critical step is...
[30:20.840 --> 30:22.760]  To do a...
[30:22.760 --> 30:24.660]  To do a...
[30:24.660 --> 30:25.600]  A bit of a test...
[30:25.600 --> 30:28.780]  First of all, we have to ensure that this file name...
[30:28.780 --> 30:29.620]  It is...
[30:29.620 --> 30:31.220]  To standardize it...
[30:31.220 --> 30:34.940]  Use this...
[30:37.000 --> 30:38.480]  Use this...
[30:39.520 --> 30:40.260]  Or...
[30:40.260 --> 30:41.820]  Such a standardized file...
[30:41.820 --> 30:43.040]  Read it out...
[30:43.040 --> 30:43.680]  And then...
[30:43.680 --> 30:46.380]  See if its db path...
[30:46.380 --> 30:47.460]  Is it...
[30:47.460 --> 30:51.420]  Under the path we need to write...
[30:51.420 --> 30:52.880]  If it exceeds...
[30:52.880 --> 30:54.580]  It is a path...
[30:54.580 --> 30:56.260]  A process that may exist...
[30:56.260 --> 30:58.580]  If we add this line of code...
[30:58.580 --> 31:00.680]  Is to be able to...
[31:00.680 --> 31:01.940]  Can cancel this path...
